7

Sometimes I'm in dilemma when I want to open archive file if there is any risk by opening it, because I'm not sure if attacker can use any trick that will trigger malware just by clicking on it.

I'm not talking about clicking or opening what's inside archive file, but just opening archive file.

So it there any risk of doing that?

user134969
  • 1,298
  • 4
  • 15
  • 24

3 Answers3

18

A well known trick will be to disguise a PE or Executable program into an another file, a PDF or an archive for example.

Since most of people rely on the file's icon or extention, it works pretty well on common users.

For instance we (the sec folks) disguised a PE file as a pdf (which was actually a vbs file) named im_now_a_daddy_guyz!.pdf.vbs and send it via email to all the company employees, explaining in the mail body how our complice is happy and wanted to share the news.

87% of the company's employees opened it, the following popup showed up on their screen What if i told you, i could be a real Malware. It was in the scope of a security awareness program.

So yes be careful when running files.

If you want to learn how to prevent this, and by the same, how to trust a file before running it, please read this page, start at the Is it fake or real? part.

Feel free to read the whole article (the 5 parts) It's well written and accessible to anyone who knows how to type things with a keyboard. This article should teach some basic knowledge about the Malware reverse engineering field.

Have fun.

Dennis Jaheruddin
  • 1,715
  • 11
  • 17
Baptiste
  • 1,643
  • 10
  • 20
  • 1
    So, making files' extensions visible is better? – rus9384 Sep 08 '17 at 10:47
  • 3
    @Baptiste: pdf actually named im_now_a_daddy_guyz!.pdf.exe, right? – Alex C Sep 08 '17 at 10:52
  • You say you are a security folk? – Alex C Sep 08 '17 at 12:05
  • it was a vbs file, exactly like the LOVE-LETTER-FOR-YOU.txt. Relying on file name is bad. If you want further detail ask a proper question on windows filename, or search one. – Baptiste Sep 08 '17 at 12:14
  • 1
    I see, all makes sense now. E-mail clients do show the file extension and this made me curious. I guess mentioning that it was a vbscript and how it worked could be a good addition to the answer. – Alex C Sep 08 '17 at 12:19
5

Yes, there's risk associated with that. If the tool you use to open the archive has vulnerabilities in it, it's possible that parsing a malicious zip or rar file could allow an attacker to exploit the vulnerability.

WinZip has had a few bugs over the years, for example: https://www.cvedetails.com/vulnerability-list/vendor_id-787/Winzip.html

All that being said, the risks are probably pretty small. Nothing is without risk.

David
  • 15,814
  • 3
  • 48
  • 73
1

It depends on the source, where it comes from, is it a trust worthy source or a malicious email?

In any case, there are minor risks involved with just opening a legitimate .zip/.rar file. Minor, because it is the internet, everything has some form of vulnerability.

As Baptiste mentioned, you can disguise an application as a completely different one. Change the image, make the file name something that is not obvious on the first go. A common strategy is File.zip.pdf or File.zip.exe. Some users do not have entire extension view enabled, so they will see: File.zip (Executable application).

If you are worried, you can open the zip in a sandboxed environment, or do a thorough malware check with anti-malware/anti-virus software, that should give the file some credibility.

Josh Ross
  • 663
  • 3
  • 10